Groups

A group represents a collection of users with a
common function, feature or interest. Typically, this grouping has no privileges
associated with it. Groups can exist at two levels; within an organization
and within other managed groups. Groups that exist within other groups are
called sub-groups. Sub groups are child nodes that “physically”
exist within a parent group.

Access Manager also supports nested groups, which
are “representations” of existing groups contained in a single
group. As opposed to sub groups, nested groups can exist anywhere in the DIT.
They allow you to quickly set up access permissions for a large number of
users.

There are two types of groups you can create; static groups and dynamic
groups. Users can only be manually added to static groups, while dynamic groups
control the addition of users through a filter. Nested or sub groups can be
added to both types.

Static Group

A static group is created based on the Managed Group Type you specify.
Group members are added to a group entry using the groupOfNames or
groupOfUniqueNames object class.

Note –

By default, the managed group type is dynamic. You can change
this default in the Administration service configuration.

Dynamic Group

A dynamic group is created through the use of an LDAP filter. All entries
are funneled through the filter and dynamically assigned to the group. The
filter would look for any attribute in an entry and return those that contain
the attribute. For example, if you were to create a group based on a building
number, you can use the filter to return a list all users containing the building
number attribute.

Note –

Access Manager should be configured with Directory Server to use
the referential integrity plug-in. When the referential integrity plug-in
is enabled, it performs integrity updates on specified attributes immediately
after a delete or rename operation. This ensures that relationships between
related entries are maintained throughout the database. Database indexes enhance
the search performance in Directory Server. For more information on enabling
the plug-in, see the Sun Java System Access Manager 6 2005Q1 Migration Guide.

To Create a Static Group

Navigate to the organization, group, or group container where
the new group will be created.

From the Groups list, click New Static.

Enter a name for the group in the Name field. Click Next.

Select the Users Can Subscribe to this Group attribute to allow
users to subscribe to the group themselves.

Click OK.

Once the group is created, you can edit
the Users Can Subscribe to this Group attribute by selecting the name of the
group and clicking the General tab.

To Add or Remove Members to a Static Group

From the Groups list, select the group to which you will add members.

Choose an action to perform in the Select Action menu. The actions
you can perform are as follows:

New User

This action creates a new user and adds the user to the group
when the user information is saved.

Add User

This action adds an existing user to the group. When you select
this action, you create a search criteria which will specify users you wish
to add. The fields used to construct the criteria use either an ANY or ALL operator. ALL returns
users for all specified fields. ANY returns users for any
one of the specified fields. If a field is left blank, it will match all possible
entries for that particular attribute.

Once you have constructed the search criteria, click Next. From the
returned list of users, select the users you wish to add and click Finish.

Add Group

This action adds a nested group to the current group. When
you select this action, you create a search criteria, including search scope,
the name of the group (the “*” wildcard is accepted), and you
can specify whether users can subscribe to the group themselves. Once you
have entered the information, click Next. From the returned list of groups,
select the group you wish to add and click Finish.

Remove Members

This action will remove members (which includes users and
groups) from the group, but will not delete them. Select the member(s) you
wish to remove and choose Remove Members from the Select Actions menu.

Delete Members

This action will permanently delete the member you select.
Select the member(s) you wish to delete and choose Delete Members.

To Create a Dynamic Group

Navigate to the organization or group where the new group will
be created.

Click the Groups tab.

Click New Dynamic.

Enter a name for the group in the Name field.

Construct the LDAP search filter.

By default, Access
Manager displays the Basic search filter interface. The Basic fields used
to construct the filter use either an ANY or ALL operator. ALL returns users for all specified
fields. ANY returns users for any one of the specified
fields. If a field is left blank it will match all possible entries for that
particular attribute.

When you click OK all users matching the search criteria are automatically
added to the group.

To Add or Remove Members to a Dynamic Group

Form the Groups list, click the name of the group to which you
will add members.

Choose an action to perform in the Select Action menu. The actions
you can perform are as follows:

Add Group

This action adds a nested group to the current group. When
you select this action, you create a search criteria, including search scope,
the name of the group (the “*” wildcard is accepted), and you
can specify whether users can subscribe to the group themselves. Once you
have entered the information, click Next. From the returned list of groups,
select the group you wish to add and click Finish.

Remove Members

This action will remove members (which includes groups) from
the group, but will not delete them. Select the member(s) you wish to remove
and choose Remove Members

Delete Members

This action will permanently delete the member you select.
Select the member(s) you wish to delete and choose Delete Members.

To Add a Group to a Policy

Access Manager objects are added to a policy through the policy’s
subject definition. When a policy is created or modified, organizations, roles,
groups, and users can be defined as the subject in the policy’s Subject
page. Once the subject is defined, the policy will be applied to the object.
For more information, see Managing Policies.